Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

We are not shipping crappy fire and forget IOT thinggy, but hardware for which we have been publishing updates for five years now. Yet you are right, ""we ship a product, that could be full of security holes, but we do not know". It is not a critical product, and is intended to be configured and eventually remote controlled on a local network. So the worst that can happen is to transform a unit into a tiny part of a DDOS attack.

I honestly don't know how you qualify a "security hole" for a "custom distro" If a library with a CVE is used, but is never exposed to malicious input, how is that a problem for the shipped hardware ? And I am pretty sure this kind of custom distro (buildroot / openembedded) is heavily used.

Rules for hardware conformance don't change every now and then. Yet hardware certification is a time consuming process with bureaucratic traps.
CVE list on the other hand, change every day.

This can raise the bar and improve the global software security status. But I know our barely profitable (but growing) business would be much less profitable if we had to have someone to do this kind of security analysis in house.